Home Depot settles shareholder suit over data breach

Home Depot Inc.’s board will closely monitor the company’s cyber security measures under a proposed settlement reached with shareholders in litigation filed in response to the retailer’s 2014 data breach.

The proposed settlement in In re: The Home Depot Inc. Shareholder Derivative Litigation follows previously announced settlements with consumers and financial institutions impacted by the data breach at the Atlanta-based firm.

The proposal says Home Depot and its shareholders will benefit from the settlement “because the negotiated corporate governance reforms enable proper monitoring of the company’s data security systems and provide greater oversight by the board through periodic reports from management regarding the company’s cybersecurity practice.”

Under terms of the proposed settlement, which was reached with the help of a mediator and filed in U.S. District Court in Atlanta on Friday, Home Depot’s board will:

• Document the duties and responsibilities of the chief information security officer
• Periodically conduct table top cyber exercises
• Monitor and periodically assess key indicators of compromise on computer network endpoints
• Maintain and periodically assess the company’s partnership with a dark web mining service to search for confidential Home Depot information
• Receive periodic reports from management regarding the amount of the company’s information technology budget, and the percentage of it spent on cyber security measures
• Maintain an incident response team and plan
• Maintain membership in at least one information sharing and analysis organization
• Retain information technology, data and security experts and consultants as deemed necessary

Plaintiff attorneys will receive fees and expenses of up to $1.125 million under terms of the settlement subject to the court’s review and approval, according to court papers.